Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 14:21
Behavioral task
behavioral1
Sample
a65ef974cf4bc255d44fa7ab8acddf50.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a65ef974cf4bc255d44fa7ab8acddf50.exe
Resource
win10v2004-20240508-en
General
-
Target
a65ef974cf4bc255d44fa7ab8acddf50.exe
-
Size
1.1MB
-
MD5
a65ef974cf4bc255d44fa7ab8acddf50
-
SHA1
dfbf0babf43166796c2f5cef62742e9bfc00c55b
-
SHA256
17df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
-
SHA512
18bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc
-
SSDEEP
24576:n8mNQarw3m8/2W9WRr0Lnw8Zaxy5KcT0zY/Or:DQa2/IRjc5K6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 1116 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1756-1-0x00000000008F0000-0x0000000000A0A000-memory.dmp dcrat C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe dcrat behavioral1/memory/1988-23-0x0000000000150000-0x000000000026A000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
spoolsv.exepid process 1988 spoolsv.exe -
Drops file in Program Files directory 6 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exedescription ioc process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\27d1bcfc3c54e0 a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Windows Mail\en-US\ece3b9136ae8fd a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Google\spoolsv.exe a65ef974cf4bc255d44fa7ab8acddf50.exe File created C:\Program Files (x86)\Google\f3b6ecef712a24 a65ef974cf4bc255d44fa7ab8acddf50.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2872 schtasks.exe 2628 schtasks.exe 2756 schtasks.exe 2632 schtasks.exe 2524 schtasks.exe 2544 schtasks.exe 2988 schtasks.exe 2672 schtasks.exe 2828 schtasks.exe 2972 schtasks.exe 2168 schtasks.exe 2652 schtasks.exe 2696 schtasks.exe 2480 schtasks.exe 2776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exespoolsv.exepid process 1756 a65ef974cf4bc255d44fa7ab8acddf50.exe 1988 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.exespoolsv.exedescription pid process Token: SeDebugPrivilege 1756 a65ef974cf4bc255d44fa7ab8acddf50.exe Token: SeDebugPrivilege 1988 spoolsv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a65ef974cf4bc255d44fa7ab8acddf50.execmd.exedescription pid process target process PID 1756 wrote to memory of 2948 1756 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 1756 wrote to memory of 2948 1756 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 1756 wrote to memory of 2948 1756 a65ef974cf4bc255d44fa7ab8acddf50.exe cmd.exe PID 2948 wrote to memory of 3008 2948 cmd.exe w32tm.exe PID 2948 wrote to memory of 3008 2948 cmd.exe w32tm.exe PID 2948 wrote to memory of 3008 2948 cmd.exe w32tm.exe PID 2948 wrote to memory of 1988 2948 cmd.exe spoolsv.exe PID 2948 wrote to memory of 1988 2948 cmd.exe spoolsv.exe PID 2948 wrote to memory of 1988 2948 cmd.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"C:\Users\Admin\AppData\Local\Temp\a65ef974cf4bc255d44fa7ab8acddf50.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z86xEElT71.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3008
-
C:\Program Files (x86)\Google\spoolsv.exe"C:\Program Files (x86)\Google\spoolsv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a65ef974cf4bc255d44fa7ab8acddf50a" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a65ef974cf4bc255d44fa7ab8acddf50" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a65ef974cf4bc255d44fa7ab8acddf50a" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\a65ef974cf4bc255d44fa7ab8acddf50.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exeFilesize
1.1MB
MD5a65ef974cf4bc255d44fa7ab8acddf50
SHA1dfbf0babf43166796c2f5cef62742e9bfc00c55b
SHA25617df189cef5f2bdadd4265e9d5b2bf2408bbf5905389b6788aaa21bd59d889b2
SHA51218bb4f417e84fea2c9b1eb20658c9bcb9a6317a50462db9c490b03ac7f7176d5c2a7c6cde9253a2991df70e866350c93ffe4ff2120f2ae85e26361d764a765dc
-
C:\Users\Admin\AppData\Local\Temp\Z86xEElT71.batFilesize
206B
MD58c9048dcb1e212b68cb9aaeeb55f4961
SHA10002adaaf8ea0bc7ba12da9b18540cca3c689878
SHA25610b95c08834aaaca2a6f69b4385e4ea72a69514487a1cb901da3731400908857
SHA5121c0111b7f1fa9162347bea3b00a8875a140ca87ed7171ce36ed38a351e4e18cad673000d4d89bbc97e8dd68e226047418645020708ca0964086b4f34e8e0d1d1
-
memory/1756-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmpFilesize
4KB
-
memory/1756-1-0x00000000008F0000-0x0000000000A0A000-memory.dmpFilesize
1.1MB
-
memory/1756-2-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmpFilesize
9.9MB
-
memory/1756-3-0x00000000005D0000-0x00000000005EC000-memory.dmpFilesize
112KB
-
memory/1756-4-0x00000000005F0000-0x0000000000602000-memory.dmpFilesize
72KB
-
memory/1756-20-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmpFilesize
9.9MB
-
memory/1988-23-0x0000000000150000-0x000000000026A000-memory.dmpFilesize
1.1MB